Secrets

Secrets are encrypted at rest with AES-256-GCM. Each secret gets its own data encryption key. Values are never stored in plaintext.

Set a secret

coldrune secret set DB_PASSWORD=s3cret --org my-org --project api --env prod

Setting an existing key creates a new version.

Get a secret

coldrune secret get DB_PASSWORD --org my-org --project api --env prod

List keys

coldrune secret list --org my-org --project api --env prod

Lists keys and metadata only. Values are not returned.

Delete

coldrune secret delete DB_PASSWORD --org my-org --project api --env prod

Soft-deletes the secret. The key can be reused.

Import from file

# From .env file
coldrune secret import --file .env --org my-org --project api --env prod

# From JSON
coldrune secret import --file secrets.json --org my-org --project api --env prod

# From YAML
coldrune secret import --file config.yaml --org my-org --project api --env prod

Format is detected from the file extension (.env, .json, .yaml/.yml).

Export to file

coldrune secret export --file .env --org my-org --project api --env prod

Run with injected secrets

coldrune run --org my-org --project api --env prod -- ./deploy.sh

This fetches all secrets from the environment, injects them as environment variables, and replaces the current process with the command. The COLDRUNE_API_KEY variable is stripped from the child environment to prevent credential leakage.

Tip

Use coldrune run in CI/CD to avoid writing secrets to disk.

Key format

Secret keys must be 1-100 characters, start with a letter or underscore, then contain alphanumeric characters, underscores, dots, or hyphens. Maximum value size is 64 KB.

Valid examples: DB_PASSWORD, api.key, redis-url, _PRIVATE_TOKEN

REST API

# Set
curl -X PUT http://localhost:7100/api/orgs/my-org/projects/api/envs/prod/secrets/DB_PASSWORD \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"value": "s3cret"}'

# Get
curl http://localhost:7100/api/orgs/my-org/projects/api/envs/prod/secrets/DB_PASSWORD \
  -H 'Authorization: Bearer <token>'

# List
curl http://localhost:7100/api/orgs/my-org/projects/api/envs/prod/secrets \
  -H 'Authorization: Bearer <token>'

# Delete
curl -X DELETE http://localhost:7100/api/orgs/my-org/projects/api/envs/prod/secrets/DB_PASSWORD \
  -H 'Authorization: Bearer <token>'